b'E           valuation\n\n\nR            eport\n\n          FY 2001 DOD INFORMATION SECURITY STATUS FOR\n           GOVERNMENT INFORMATION SECURITY REFORM\n\n\n\nReport No. D-2001-184                        September 19, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c      Additional Copies\n\n      To obtain additional copies of this evaluation report, visit the Inspector General,\n      DoD, Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary\n      Reports Distribution Unit of the Audit Followup and Technical Support\n      Directorate at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n      Suggestions for Future Evaluations\n\n      To suggest ideas for or to request future audits, contact the Audit Followup and\n      Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n      fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                     OAIG-AUD (ATTN: AFTS Evaluation Suggestions)\n                        Inspector General, Department of Defense\n                           400 Army Navy Drive (Room 801)\n                               Arlington, VA 22202-4704\n\n      Defense Hotline\n\n      To report fraud, waste, or abuse, contact the Defense Hotline by calling\n      (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n      by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n      The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAIS                Automated Information System\nCIO                Chief Information Officer\nDISA               Defense Information Systems Agency\nDITSCAP            DoD Information Technology Security Certification and\n                      Accreditation Process\nGISRA              Government Information Security Reform Act\nIT                 Information Technology\nNIPRNet            Non-secure Internet Protocol Router Network\nOMB                Office of Management and Budget\n\x0c\x0c                      Office of the Inspector General, DoD\nReport No. D-2001-184                                              September 19, 2001\n  Project No. D2001AD-0071.002\n\n               FY 2001 DoD Information Security Status for\n                Government Information Security Reform\n\n                                 Executive Summary\n\nIntroduction. The Government Information Security Reform Act (the Act) directs\neach Federal agency to evaluate its information security program and practices annually\nand, as part of the budget process, submit the results to the Office of Management and\nBudget. The Act covers unclassified and national security systems and creates the same\nsecurity management framework for each. The Act establishes parallel requirements\nfor the agency and the agency Inspector General. Specifically, the Act requires DoD to\nannually evaluate its information security program and practices and confirm their\neffectiveness by testing a subset of systems. The Act also requires the Office of the\nInspector General to evaluate the DoD information security program and practices and\nto independently select and test a subset of systems to confirm the effectiveness of the\ninformation security program.\n\nObjectives and Scope. The overall objective was to respond to the requirements of the\nGovernment Information Security Reform Act, title X, subtitle G of the FY 2001\nFloyd D. Spence National Defense Authorization Act (Public Law 106-398). The\nOffice of the Inspector General, DoD, selected an independent subset of applications to\nassess the effectiveness of DoD information security policy and practices. The Army\nAudit Agency and the Air Force Audit Agency supported the Office of the Inspector\nGeneral, DoD, in that review. In addition, the Office of the Inspector General, DoD,\nidentified and summarized information security and information assurance concerns\nfrom April 1, 2000, through August 22, 2001. The subset results, the information\nassurance report summary, and the Army Audit Agency and Air Force Audit Agency\nspecific discussion of the questions posed by the public law form the basis of our\nresults.\n\nResults. Although DoD has made progress in developing various information\nassurance initiatives, DoD still needs to establish and implement a DoD-wide\ninformation security plan to better manage and coordinate collective efforts by the DoD\nComponents in protecting and defending DoD systems and networks. The results that\nfollow appear with the corresponding number from the Office of Management and\nBudget reporting guidance. The guidance requires the Office of the Inspector General,\nDoD, to respond to questions 2 through 13.\n\x0c2. Identify the total number of programs included in the program reviews or\nindependent evaluations.\n\nThe Office of the Inspector General, DoD, the Army Audit Agency, and the Air Force\nAudit Agency collaborated on a review of a subset of applications resident on the\nDefense Information Systems Agency-owned Centers and Detachments. The statistical\nsample randomly selected from that subset was 90 of 1,365 applications, organized by\nunique names from a total population of 4,939 applications. The Defense Enterprise\nComputing Centers and Detachments support multiple DoD Components, installations,\nand functions. The applications support functions that include financial accounting;\npersonnel; pay and disbursement; materiel shipping, receiving, and storing; munitions\nmaintenance; and weapon systems.\n\n3. Describe the methodology used in the program reviews and the methodology\nused in the independent evaluations.\n\nTo assess the information technology security posture of DoD, the Office of the\nInspector General, DoD, selected a random sample of business applications from a\nsubset of systems. For those applications, the objective was to identify security\npersonnel, such as the Information System Security Officer and the Designated\nApproval Authority, and to determine whether the applications had a Certification and\nAccreditation or an Interim Authority to Operate.\n\n4. Report any material weakness in policies, procedures, or practices as identified\nand required under existing law.\n\nOf 49 reports summarized in Inspector General, DoD, Report No. D-2001-182,\n\xe2\x80\x9cInformation Assurance Challenges\xe2\x80\x94a Summary of Audit Results Reported April 1,\n2000, through August 22, 2001,\xe2\x80\x9d September 19, 2001, 23 reports identified weaknesses\nin policies, procedures, or practices concerning information assurance. Thirteen\nreports specified that the control weaknesses identified were material.\n\n5. Describe the specific measures of performance used to ensure program officials\nhave: 1) assessed the risk to operations and assets under their control;\n2) determined the level of security appropriate to protect such operations and\nassets; 3) maintained an up-to-date security plan (that is practiced throughout the\nlife cycle) for each system supporting the operations and assets under their control;\nand 4) tested and evaluated security controls and techniques. Include information\non the actual performance for each of the four categories.\n\nThe DoD integrated assessing risk, identifying appropriate security level, maintaining a\ncurrent security plan, and testing and evaluating security controls and techniques into its\nDoD Information Technology Security Certification and Accreditation Process\nprogram. Based on the results of our review of the subset of systems from the Defense\nEnterprise Computing Centers and Detachments, DoD had not fully implemented\nsecurity policy. Written, current certification and accreditations were not available for\nan estimated 60 percent of the subset population of 1,365 applications. Certification\nand accreditation are the technical evaluation of security features of an application or\n\n\n                                            ii\n\x0csystem and the formal declaration to operate the application or system. The DoD\nmanagers had not fully implemented information security policy because definitions for\nsystem, application, and other means of establishing security parameters and\nresponsibilities were unclear. The parameters of and responsibility for information\nsecurity were made more complex by the DoD practice of approving different\norganizations to design, develop, manage, use, and operate information technology\napplications.\n\n6. Describe the specific measures of performance used to ensure that the CIO:\n1) adequately maintains an agency-wide security program; 2) ensures the effective\nimplementation of the program and evaluates the performance of major agency\ncomponents; and 3) ensures the training of agency employees with significant\nsecurity responsibilities. Include information on the actual performance for each\nof the three categories.\n\nAlthough DoD Directive 5200.28 specifically assigns oversight and review for\nimplementation of its stated policies to the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence), the Assistant Secretary had no mechanism\nin place to provide that oversight. Additionally, the directive assigns responsibility to\nDoD Component heads for implementing and ensuring compliance with the directive,\nand for programming funds and resources to support information security. The DoD\nComponents also had no mechanisms for comprehensively measuring compliance with\nDoD Directive 5200.28. The Assistant Secretary also had not established a DoD\nenterprise information security plan to consistently apply information assurance to all\nDoD systems and networks. Further, the changing information technology\nenvironment made it difficult to maintain current security policies and practices.\n\n7. Describe how the agency ensures that employees are sufficiently trained in their\nsecurity responsibilities. Identify the total number of agency employees and briefly\ndescribe what types of security training were available during the reporting period,\nthe number of agency employees that received each type of training, and the total\ncosts of providing such training.\n\nThe Office of the Inspector General, DoD, did not identify the total number of DoD\nemployees who required information security training, the types of security training\navailable during the reporting period, the number of DoD employees who received each\ntype of training, or the total costs of providing training. Specifically, the Office of the\nInspector General, DoD, observed, in Report No. D-2001-182, that the DoD was\nprogressing towards its information assurance training and certification requirements.\nDoD established the Human Resources Development Functional Area to develop and\ninstitute the means to continually improve education, training, and awareness of\npersonnel required to carry out the DoD information assurance mission.\n\n8. Describe the documented procedures for reporting security incidents and\nsharing information regarding common vulnerabilities. Include a description of\nprocedures for external reporting to law enforcement authorities and to the\n\n\n\n\n                                            iii\n\x0cGeneral Services Administration\xe2\x80\x99s FedCIRC. Include information on the actual\nperformance and the number of incidents reported.\n\nPrior audit and investigative coverage showed that, although the DoD was making\nprogress in reporting and investigating security incidents, additional improvements were\nneeded. Inspector General, DoD, Report No. D2001-013, \xe2\x80\x9cDoD Compliance With the\nInformation Assurance Vulnerability Alert Policy,\xe2\x80\x9d December 1, 2000, evaluated the\nDoD procedures for reporting security incidents and sharing information about common\nvulnerabilities. The report stated that DoD had made significant progress towards\nimplementing its procedures and planned to be fully compliant by April 2001.\nHowever, as of August 31, 2001, the Office of the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence) had not issued a formal\ninstruction, identified the positions and skills needed by the primary and secondary\npoints of contact, or issued an implementation plan for the Information Assurance\nVulnerability Alert process. The Army Audit Agency noted that the Army improved its\ninformation security posture by establishing the Army Computer Emergency Response\nTeam and the Information Assurance Vulnerability Alert Compliance Verification\nTeam.\n\nIn the area of computer crime, in FY 2001, the Defense Criminal Investigative\nOrganizations (the Army Criminal Investigation Command, the Naval Criminal\nInvestigative Service, the Air force Office of Special Investigations, and the Defense\nCriminal Investigative Service) initiated 194 investigations, closed 178 investigations,\nhad 24 indictments and 18 convictions, and recovered and avoided costs of\n$2.9 million.\n\n9. Describe how the agency integrates security into its capital planning and\ninvestment control process. Were security requirements and costs reported on\nevery FY02 capital asset plan (as well as exhibit 53) submitted by the agency to\nOMB? If no, why not?\n\nThe Office of the Inspector General, DoD, cannot comment on whether DoD reported\nsecurity requirements and costs on every FY 2002 capital asset plan or exhibit 53\nsubmitted to the Office of Management and Budget because it did not examine those\nplans. However, the Army Audit Agency reviewed some aspects of capital planning\nand investment that it reported in Report No. AA 01-284, \xe2\x80\x9cWorkload Survey for\nInformation Technology,\xe2\x80\x9d May 31, 2001. Specifically, the Army Audit Agency\nreported that the Army had an Investment Strategy Working Group that prioritized\ninformation technology investments and aligned the Army\xe2\x80\x99s portfolio of systems with\nits requirements.\n\n10. Describe the specific methodology used to identify, prioritize, and protect\ncritical assets within the enterprise architecture, including links with key external\nsystems. Describe how the methodology has been implemented.\n\nThe Office of the Inspector General, DoD, did not specifically review a methodology\nused by the DoD to identify, prioritize, and protect critical assets within its enterprise\narchitecture. However, the Office of the Inspector General, DoD, identified the need\n\n\n                                             iv\n\x0cto improve contingency planning and certification and accreditation efforts. Those are\nareas that help DoD protect critical assets and information.\n\n11. Describe the measures of performance used by the head of the agency to\nensure that the information security plan is practiced throughout the life cycle of\neach system. Include information on the actual performance.\n\nThe DoD Information Technology Security Certification and Accreditation Process,\naccording to DoD Instruction 5200.40, applies to all life-cycle phases of DoD systems.\nThe DoD did not have a means of evaluating and consolidating information assurance\ndata to report the DoD information security posture, as evidenced by results from the\nInspector General review of the selected subset of applications. That review showed\n60 percent of the 1,365 applications did not have current certifications and\naccreditations made by using the DoD Information Technology Security Certification\nand Accreditation Process or any other assessment tool.\n\n12. Describe how the agency has integrated its information and information\ntechnology security program with its critical infrastructure protection\nresponsibilities, and other security programs.\n\nThe Office of the Inspector General, DoD, participated in the Joint Task Force\xe2\x80\x94\nComputer Network Defense and the National Infrastructure Protection Center\nprograms. Both programs contribute to the protection of critical infrastructure assets\nand information.\n\n13. Describe the specific methods used to ensure that contractor-provided services\nor services provided by another agency are adequately secure and meet the\nrequirements of the Security Act, OMB policy and NIST guidance, national\nsecurity policy, and agency policy.\n\nAudits are one method DoD uses to help identify weaknesses in the acquisition policies\nand procedures for information technology services. Five reports, by the Office of the\nInspector General, DoD, and the Air Force Audit Agency, identified weaknesses with\ncontractor-provided information technology services. One of the weaknesses identified\nwas the failure to require security investigations of contractor employees, including\nforeign nationals, prior to the employees writing software code for critical systems. In\naddition, those reports documented commercial packages that did not have adequate\ncontrols to safeguard sensitive financial information and contracts that did not have\nadequate contract administration for security requirements.\n\nRecommendations to Improve the Government Information Security Reform\nReporting Process. The Office of the Inspector General, DoD, recommends that the\nOffice of Management and Budget take the following actions to improve the process of\nresponding to the Government Information Security Reform Act.\n\n     \xe2\x80\xa2 Carefully define terminology in future reporting guidance. Interpretations of\n       the terminology used to discuss information security varied and resulted in\n       responses about very different things. Terms that were subject to interpretation\n\n\n                                           v\n\x0c  and extensive debate included system, application, network, mission-critical,\n  and mission-essential. The guidance needs to define the terminology to the\n  extent necessary for comparable discussions.\n\n\xe2\x80\xa2 Clarify what the agency should evaluate for information security. The debate\n  on terminology extends to the items that an agency should consider in\n  evaluating information security. The guidance should specify that all\n  information technology investments are included. Further, the distinction\n  between national security systems and all other systems should be discontinued\n  to facilitate consistent information security coverage.\n\n\xe2\x80\xa2 Improve the timing of guidance and responses. Guidance on the specific\n  information that the agencies should include in their reports to the Congress\n  needs to be available at the beginning of the reporting year. The official\n  Government Information Security Reform reporting guidance was not available\n  until late June 2001 for a reporting date of October 1, 2001. Changes to the\n  questions for discussion for the next reporting period need to be available\n  before the agencies plan and accomplish the reviews to provide responses to the\n  Government Information Security Reform Act requirements. If the\n  Government Information Security Reform Act continues to require the\n  Inspector General, DoD, to report results from audits of independent\n  evaluations on national security systems, the Office of Management and Budget\n  should initiate a legislative request to establish a separate reporting period for\n  national security systems. That reporting period should allow sufficient time\n  for the audit function to validate the results of the independent evaluations.\n\n\n\n\n                                      vi\n\x0cTable of Contents\n\nExecutive Summary\n\nIntroduction\n     The Inspector General, DoD, Response to Address the Government\n       Information Security Reform Act                                  1\n     Background                                                         3\n     Objectives                                                         4\n\nFinding\n     Responses to Questions on Government Information Security Reform   5\n\nAppendixes\n     A. Evaluation Process\n          Scope                                                         16\n          Methodology                                                   17\n     B. Prior Coverage                                                  20\n     C. Army Audit Agency Responses to Office of Management and\n         Budget Questions                                               25\n     D. Air Force Audit Agency Responses to Office of Management\n          and Budget Questions                                          36\n     E. Reports Specifying Management Control Weaknesses                42\n     F. Report Distribution                                             46\n\x0cThe Inspector General, DoD, Response to Address the\n  Government Information Security Reform Act\n    General Provisions of Government Information Security Reform. On\n    October 30, 2000, the President signed the Defense Authorization Act of\n    FY 2001 (Public Law 106-398) that included title X, subtitle G, \xe2\x80\x9cGovernment\n    Information Security Reform\xe2\x80\x9d Act (GISRA). Subtitle G provides for ensuring\n    effective controls for highly networked Federal information resources,\n    management and oversight of information security risks, and a reporting\n    mechanism for improved information system security oversight and assurance\n    for Federal information security programs. The GISRA directs each Federal\n    agency (the DoD for purposes of this report) to evaluate its information security\n    program and practices annually and, as part of the budget process, submit the\n    results to the Office of Management and Budget (OMB). The GISRA covers\n    unclassified and national security systems and creates the same security\n    management framework for each.\n\n    DoD and Inspector General Provisions of GISRA. The GISRA establishes\n    parallel requirements for the agency and the agency Inspector General. It\n    requires DoD to annually evaluate its information security program and\n    practices and confirm their effectiveness. GISRA also requires the Office of the\n    Inspector General to independently evaluate the DoD information security\n    program and practices, and select and test a subset of systems to confirm the\n    effectiveness of the information security program.\n\n    The Subset Selected by the Office of the Inspector General. The Office of\n    the Inspector General, DoD, selected its independent subset of systems from the\n    applications supported by the Defense Enterprise Computing Centers (the\n    Centers) and Detachments of the Defense Information Systems Agency (DISA).\n    As of February 2001, DISA billed its customers to run 4,939 applications,\n    comprising 1,365 unique-named applications, that became the source of the\n    subset sample. We chose a random sample of 90 applications from the\n    population of 1,365. The Army Audit Agency evaluated 34 applications and the\n    Air Force Audit Agency evaluated 19 applications supporting their respective\n    Components. The Office of the Inspector General, DoD, evaluated the balance\n    of 37 applications, which supported the Navy, the Defense Finance and\n    Accounting Service, and the Defense Logistics Agency.\n\n    OMB Guidance and Reporting Instructions for GISRA. The OMB issued\n    guidance implementing GISRA in memorandum M-01-08, \xe2\x80\x9cGuidance on\n    Implementing the Government Information Security Reform Act,\xe2\x80\x9d January 16,\n    2001. That guidance broadly outlined responsibilities within agency structures\n    for evaluating and reporting information security.\n\n    On June 22, 2001, the OMB issued the memorandum 01-24, \xe2\x80\x9cReporting\n    Instructions for the Government Information Security Reform Act,\xe2\x80\x9d that it\n    directed to the heads of executive departments and agencies. Memorandum 01-\n    24 provides instructions for completing the executive summary required by the\n    GISRA. OMB directed agency Chief Information Officers (CIO) and program\n\n\n                                        1\n\x0cofficials, including the DoD, to respond to 14 comprehensive questions\ndescribed in the memorandum. Each agency Inspector General would respond\nto questions on the results of its independent evaluation of the agency\xe2\x80\x99s\ninformation security status except those questions concerning the total\ninformation security funding and the strategy to correct security weaknesses.\n\nSources of Support for GISRA Reporting Requirements. A primary source\nof support for our responses to the OMB questions was the evaluation of the\nindependently selected subset from the applications operating at the DISA\nCenters and Detachments. The Army Audit Agency and the Air Force Audit\nAgency contributed significantly to that evaluation. In addition, those audit\nagencies provided the Office of the Inspector General, DoD, with responses to\nthe OMB questions for their respective Components. (See Appendix C for the\nArmy Audit Agency responses and Appendix D for the Air Force Audit Agency\nresponses.) Reports, evaluations, and information collected for the period from\nApril 2000 through August 2001 from the following sources were also used to\ndevelop the responses: General Accounting Office; Office of the Inspector\nGeneral, DoD, Army Audit Agency, Naval Audit Service, and Air Force Audit\nAgency.\n\nWe did not validate the DoD responses to the OMB questions because the DoD\nand the Office of the Inspector General, DoD, concurrently collected and\nevaluated data and developed separate responses to submit to OMB.\n\nWe could not obtain comprehensive information to respond to all of the OMB\nquestions. In keeping with the January 16, 2001, OMB memorandum, we\nselected a subset of systems from the business applications operated at the DISA\nCenters and Detachments to test the effectiveness of the DoD security program\nand practices. In our overall response, we also used those audits, evaluations,\nand inspections completed during FY 2001 that addressed information security.\nWe were unable to plan the reviews to respond specifically to the OMB\nquestions because those questions were not available until June 2001.\nRecommendations to Improve the GISRA Process. The experience gained in\nresponding to GISRA requirements for the first time highlighted some\nopportunities to improve the process. Our recommendations for the OMB are in\nthe following discussion.\n\n          Carefully Define GISRA Terminology. Interpretations of the\nterminology used to discuss information security varied and resulted in very\ndifferent responses to GISRA requirements and OMB questions. For example,\nthe OMB guidance asked that the agency identify the total number of programs\nincluded in the program review. The Air Force Audit Agency interpreted\nprogram to mean operational programs, such as the Air Force Materiel\nCommand system, \xe2\x80\x9cProgrammed Depot Maintenance Scheduling System\n(GO97).\xe2\x80\x9d In contrast, the Army Audit Agency interpreted program to mean\nfunctional areas of interest such as the Army-wide security program, \xe2\x80\x9cNetwork\nSecurity Improvement Program (sustaining base).\xe2\x80\x9d Other terminology that was\nsubject to interpretation and extensive debate included system, application,\n\n\n\n                                    2\n\x0c    network, mission-critical, and mission-essential. We believe OMB needs to\n    define the terminology to the extent necessary for comparable topic discussions.\n\n              Clarify What the Agency Should Evaluate for Information\n    Security. The debate of terminology extended to the items that an agency\n    should consider in information security evaluations. Interpretations also varied\n    on whether GISRA applied to non-mission-critical and non-mission-essential\n    weapons systems, communications networks, business systems, and Information\n    Technology (IT) funded outside the DoD IT Registry requirements. We believe\n    that OMB should clarify its guidance to include all IT investments. Further, we\n    believe that the distinction between national security systems and all other\n    systems should be discontinued to facilitate consistent information security\n    coverage.\n\n              Improve the Timing of Guidance and Responses. The OMB needs\n    to issue guidance on the specific information that the agencies should include in\n    their reports to OMB and Congress at the beginning of the reporting year. The\n    official GISRA reporting guidance was not available until late June 2001, which\n    left insufficient audit lead time because of the firm reporting date of October 1,\n    2001. Changes to the questions for discussion for the next reporting period\n    need to be available before the agencies plan and accomplish the reviews to\n    provide responses to the GISRA requirements. If GISRA continues to require\n    the Inspector General, DoD, to report results from audits of independent\n    evaluations on national security systems, OMB should initiate a legislative\n    request to establish a separate reporting period for national security systems.\n    That reporting period should allow sufficient time for the audit function to\n    validate the results of the independent evaluations.\n\nBackground\n    The DoD IT Universe. The DoD has thousands of IT processes that comprise\n    its IT universe. One can categorize those processes according to a variety of\n    criteria, including function, criticality, locality, and owner or operator. Two\n    categories or populations identified in DoD for the FY 2001 GISRA review\n    were the IT Registry systems and the business applications supported by the\n    Centers, for which DISA billed its customers. Some of those Center-supported\n    processes or applications were also included in the IT Registry, though not all\n    were.\n\n              IT Registry Database of Systems. Public Law 106-398, section 811,\n    \xe2\x80\x9cAcquisition and Management of Information Technology,\xe2\x80\x9d requires DoD to\n    register all mission-critical and mission-essential IT systems with the DoD CIO\n    in the IT Registry. To obtain funding, a system must be in the IT Registry.\n    The IT Registry requires 17 data fields, including system name, description,\n    functional area, and program manager information. As of August 30, 2001,\n    DoD Components registered 3,783 unclassified IT systems with the CIO.\n\n            Center-Supported Applications. The Centers and Detachments\n    of DISA provided general support systems, including mainframe computers,\n\n\n                                         3\n\x0c     minicomputers, and local area networks, for its customers\xe2\x80\x99 applications. Each\n     Center operates under the control of the Center commanding officer, with\n     system security functions accomplished by the designated security manager and\n     the information systems security manager. The DISA has five Centers that are\n     located in Mechanicsburg, Pennsylvania; Columbus, Ohio; St. Louis, Missouri;\n     Oklahoma City, Oklahoma; and Ogden, Utah. In addition, there are\n     Detachments or satellite sites at 14 other locations. The Center customers are\n     the Military Departments and other Defense agencies with installations\n     throughout the United States. The customer applications that the Centers and\n     Detachments run to support DoD installations include financial accounting;\n     personnel; pay and disbursement; materiel shipping, receiving, and storing;\n     munitions maintenance; and weapon systems.\n\n     The DoD Information Security Program. The primary document establishing\n     the DoD information security program is DoD Directive 5200.28, \xe2\x80\x9cSecurity\n     Requirements for Automated Information Systems,\xe2\x80\x9d March 21, 1988, which\n     provides the mandatory, minimum security requirements for automated\n     information systems (AISs) based on acceptable levels of risk.\n     Directive 5200.28 has several companion regulatory and procedural documents,\n     including DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\n     Certification and Accreditation Process,\xe2\x80\x9d (DITSCAP), December 30, 1997.\n\n     The DITSCAP Program. DoD Instruction 5200.40 implements DoD\n     Directive 5200.28; it prescribes procedures to accomplish policy goals and\n     establishes standards for certifying and accrediting the security of DoD\n     IT systems throughout their life cycles.\n\nObjectives\n     The overall evaluation objective was to respond to the GISRA requirements of\n     title X, subtitle G of the FY 2001 Floyd D. Spence National Defense\n     Authorization Act (Public Law 106-398). We did not evaluate the management\n     control program separately because the DoD recognized information security\n     and assurance programs as a material weakness in its most current Statement of\n     Assurance. In addition, the GAO identified information security as a high risk.\n     See Appendix A for a discussion of the evaluation scope and methodology. See\n     Appendix B for prior coverage related to the evaluation objectives.\n\n\n\n\n                                        4\n\x0c           Responses to Questions on Government\n           Information Security Reform\n           The results correspond with the numbered questions from OMB reporting\n           guidance. The guidance requires the Office of the Inspector General, DoD, to\n           respond to questions 2 through 13.\n\n           2. Identify the total number of programs included in the program reviews\n           or independent evaluations.\n\n           The Office of the Inspector General, DoD, the Army Audit Agency, and the Air\n           Force Audit Agency collaborated on a review of a subset of systems from the\n           applications resident at the DISA-owned Centers and Detachments. The\n           statistical sample that we randomly selected from that subset was 90 of\n           1,365 applications, organized by unique names from a total population of\n           4,939 applications. The statistical sample of 90 applications reviewed resulted\n           in a projected point estimate to the population of 1,365 for authority to operate\n           as follows:\n\n                                                                     Projected              Percent\n                                                                      Results             of Population\n\n           Current Certification and Accreditation\n           or Interim Authority to Operate                               501                   36.7\n\n           Indeterminate: retired, transferred,\n           insufficient detail available to find status                  410                   30.0\n\n           Other technology with no Certification and\n           Accreditation or Interim Authority to Operate                 137                   10.0\n\n           Expired Certification and Accreditation\n           or Interim Authority to Operate                                30                    2.2\n\n           No Certification and Accreditation or Interim\n           Authority to Operate, or certification only                   288                   21.1\n             Total                                                     1,3661                 100.0\n\n           The Centers and Detachments support multiple DoD Components, installations,\n           and functions. The applications provide support to functions that include\n           financial accounting; personnel; pay and disbursement; materiel shipping,\n           receiving, and storing; munitions maintenance; and weapon systems.\n\n\n\n1\n    The projected point estimates do not add up to the population of 1,365 due to rounding.\n\n\n\n                                                      5\n\x0cIn addition to reviewing the subset, the Office of the Inspector General, DoD,\ncompiled results reported in audits, evaluations, and GAO testimony. Those\nresults, reported in Report No. D-2001-182, \xe2\x80\x9cInformation Assurance\nChallenges-A Summary of Audit Results Reported April 1, 2000, through\nAugust 22, 2001,\xe2\x80\x9d September 19, 2001, were from the Inspector General, DoD,\nthe General Accounting Office, the Army Audit Agency, the Naval Audit\nService, and the Air Force Audit Agency. We used that compilation to discuss\nsome of the questions in the OMB reporting guidance. The compilation\nincluded reports that discussed security for 22 IT investments, including\nnetworks and systems for specific user requirements (for example, Air Force\nResearch Laboratory UNIX-based computer systems, the Integrated Accounts\nPayable System, and the Advanced Logistics Program).\n\nThe DoD selected its systems for evaluation from a different source than the\nOffice of the Inspector General. The DoD selected a statistical sample from the\nsystems listed in the IT Registry. We did not validate the data collected by\nDoD. Although the evaluations were of different subsets of systems, both\nsubsets provide an overview of the complexity and diversity of the DoD IT.\n\n3. Describe the methodology used in the program reviews and the\nmethodology used in the independent evaluations.\n\nTo assess the IT security posture of DoD, we selected a random sample of\napplications from a subset of systems. For those applications, the objective was\nto identify security personnel, such as the Information System Security Officer\nand the Designated Approval Authority, and to determine whether the\napplications had a security Certification and Accreditation or an Interim\nAuthority to Operate. See Appendix A for details of the sample and\nmethodology.\n\nWe obtained additional information for reporting by reviewing reports and\ntestimony from the Office of the Inspector General, DoD; the General\nAccounting Office; the Army Audit Agency; the Naval Audit Service; and the\nAir Force Audit Agency. We reviewed those reports and testimony for general\nand specific information about the questions set forth in the OMB reporting\nguidance.\n\nWe coordinated our evaluation efforts with DoD IT officials. However, we did\nnot evaluate the methodology DoD used to select IT systems, evaluate its\nsecurity posture, and develop its responses to the OMB questions.\n\n4. Report any material weakness in policies, procedures, or practices as\nidentified and required to be reported under existing law (Section 2534(a)(2)\nof the Security Act.)\n\nOf the 49 reports summarized in the Information Assurance Challenges report,\n23 DoD reports, about 45 percent (issued by the Office of the Inspector\nGeneral, Army Audit Agency, Naval Audit Service, and Air Force Audit\nAgency), specifically stated that policies, procedures, or practices for\ninformation assurance were a management control weakness. See Appendix E\n\n\n\n                                    6\n\x0cfor a listing of those reports. Thirteen reports specified that the management\ncontrol weaknesses identified were material. The following reports provide\nexamples of identified material weaknesses:\n\nInspector General, DoD, Report No. D-2001-017, \xe2\x80\x9cUnclassified but Sensitive\nInternet Protocol Router Network Security Policy,\xe2\x80\x9d December 12, 2000,\nprovided an example of a material weakness in management controls. The\nNon-secure Internet Protocol Router Network (NIPRNet) is a network of\nGovernment-owned Internet protocol routers used to exchange unclassified but\nsensitive information among DoD users. The lack of security policy guidelines\nfor the NIPRNet was a material management control weakness. The guidance\nthat the Assistant Secretary of Defense (Command, Control, Communications,\nand Intelligence) issued was outdated, unclear about the direct Internet\nconnection waiver process, and not formal DoD policy. Consequently, the\nrequirement to follow the guidance was unenforceable and DoD lacked effective\nmanagement controls over Internet access. The Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence) agreed to take\ncorrective actions, which are ongoing.\n\nThe Air Force Audit Agency also reported control weaknesses on the NIPRNet.\nThe weaknesses involving the NIPRNet, along with another information\nassurance weakness, resulted in the Air Force reporting the weaknesses in its\nFY 2000 Statement of Assurance. Corrective actions planned included fielding\nnetwork protection and management tools, certified professionals, and\ntechniques and procedures to monitor, manage and protect networks. See\nquestion 4, Appendix D, for details.\n\nThe Army Audit Agency reviewed documents about the material weakness in\ninformation security that the Army had reported since FY 1996. The Army\nstatements of assurance reported deficiencies in systems and network security\ndesign and implementation; incident response, containment, and\ncountermeasures; and information security education, training, and awareness.\nThe Army\xe2\x80\x99s corrective action plan identified 32 corrective action milestones, of\nwhich 20 were complete by FY 2000. See question 4, Appendix C, for details.\n\nThe Naval Audit Service issued Report No. N2000-0045, \xe2\x80\x9cNavy Working\nCapital Fund Financial Management Feeder Systems for Fiscal Year 1999,\xe2\x80\x9d\nSeptember 29, 2000, which discussed material control weaknesses with the\nfeeder systems to the working capital fund. The weaknesses included\ninadequate access controls, contingency planning, and system documentation.\nThe Navy agreed to take corrective actions, which included an inventory of\nsystems that provide financial data or support financial transactions in the Navy\nWorking Capital Fund. The corrective actions were ongoing.\n\n5. Succinctly describe the specific measures of performance used by the\nagency to ensure that agency program officials have: 1) assessed the risk to\noperations and assets under their control; 2) determined the level of security\nappropriate to protect such operations and assets; 3) maintained an up-to-\ndate security plan (that is practiced throughout the life cycle) for each\nsystem supporting the operations and assets under their control; and\n\n\n\n                                    7\n\x0c4) tested and evaluated security controls and techniques. Include\ninformation on the actual performance for each of the four categories.\n(Section 3534(a)(2) of the Security Act.)\n\nThe DoD integrated the four categories listed into its DITSCAP program.\nBased on the results of our review of 90 applications from the subset of\napplications from DISA Centers, DoD had not fully implemented security\npolicy. Written, current certification and accreditations were not available for\nan estimated 60 percent of the subset of 1,365 applications. Certification and\naccreditation are the technical evaluation of security features of an application or\nsystem and the formal declaration to operate the application or system. The\nDoD managers had not fully implemented information security policy because\ndefinitions for system, application, and other means of establishing security\nparameters and responsibilities were unclear. The parameters of and\nresponsibility for information security were further obscured by the DoD\npractice of approving different organizations to design, develop, manage, use,\nand operate IT applications. In addition, the policy proponent, the Office of the\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence); the service provider, DISA; and the Component heads provided\nlimited oversight of policy implementation or policy applicability to the current\nIT environment.\n\nIn two reports, the Army Audit Agency recommended that the Army improve\nits process for measuring outcomes of information assurance investments. The\nArmy subsequently developed 10 performance measures pertaining to\ninformation security. However, 6 of the 10 performance measures that the\nArmy developed addressed only one of the categories from the OMB question:\ntesting and evaluating security controls and techniques. None of the\nperformance measures addressed the other OMB question categories of\nassessing risk, identifying appropriate security levels, or maintaining a current\nsecurity plan. See question 5, Appendix C, for details.\n\nThe Air Force Audit Agency determined that managers for 76 percent of the\n29 applications that it evaluated (19 applications as part of the Office of the\nInspector General review and 10 supplemental applications) had not measured\nperformance in any of the four information security categories. The Air Force\nmanagers labeled those systems that did not meet the criteria as legacy systems,\nwhich were systems that have operated for many years. The Air Force results\nfor new and reengineered systems were more positive. According to results\nfrom Project No. 98066024, \xe2\x80\x9cCertification of Standard Systems,\xe2\x80\x9d\nSeptember 30, 1999, the Air Force effectively assessed risks, determined the\nproper level of security, maintained their security plan, and tested the security\nfor new and reengineered systems. See question 5, Appendix D, for details.\n\n6. Describe the specific measures of performance used by the agency to\nensure that the agency CIO: 1) adequately maintains an agency-wide\nsecurity program; 2) ensures the effective implementation of the program\nand evaluates the performance of major agency components; and 3) ensures\nthe training of agency employees with significant security responsibilities.\n\n\n\n\n                                     8\n\x0cInclude information on the actual performance for each of the three\ncategories. (Section 3534(a)(3)-(5) of the Security Act.)\n\nAlthough DoD Directive 5200.28 specifically assigns oversight and review of\nimplementation of its stated policies to the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence), the Assistant Secretary\nhad not established a mechanism to provide that oversight. Additionally,\nDirective 5200.28 assigns responsibility to DoD Component heads for\nimplementing and ensuring compliance with the endorsed policy and for\nprogramming funds and resources to support information security. The DoD\nComponents also had no mechanisms for comprehensively measuring\ncompliance with Directive 5200.28.\n\nIn a February 9, 2001, memorandum to all Components, the Assistant Secretary\nof Defense (Command, Control, Communications, and Intelligence) stated that\nDoD had several vehicles in place to assess information assurance and meet the\nintent of GISRA. According to the memorandum, the DoD required a means of\nevaluating and consolidating information assurance data to report the DoD\ninformation security posture. With the February memorandum, the Assistant\nSecretary established an integrated process team to accomplish that goal. The\nteam developed only reporting criteria, methodology, and a report format for\nthe FY 2001 DoD program reviews of unclassified systems; however, neither\nthe Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) nor the integrated process team established a security plan for DoD\nenterprise information that would consistently apply information security\nrequirements to all DoD systems and networks. Further, the changing IT\nenvironment made maintaining current security policies and practices difficult.\n\n7. Describe how the agency ensures that employees are sufficiently trained\nin their security responsibilities. Identify the total number of agency\nemployees and briefly describe what types of security training were\navailable during the reporting period, the number of agency employees that\nreceived each type of training, and the total costs of providing such\ntraining. (Section 3534(a)(3)(D), (a)(4), (b)(2)(C)(i)-(ii) of the Security Act.)\n\nWe did not identify the total number of DoD employees who required\ninformation security training, the types of security training available during the\nreporting period, the number of DoD employees who received each type of\ntraining, or the total costs of providing training. In Inspector General, DoD,\nReport No. D-2001-182, \xe2\x80\x9cInformation Assurance Challenges\xe2\x80\x94a Summary of\nResults Reported April 1, 2000, through August 22, 2001,\xe2\x80\x9d we observed that\nthe DoD was progressing towards its information assurance training and\ncertification requirements. DoD established the Human Resources Development\nFunctional Area to develop and institute the means to continually improve\neducation, training, and personnel awareness required to carry out the DoD\ninformation assurance mission.\n\nThe Information Assurance Challenges report also stated that DoD needs to\nfurther improve its information security training as evidenced by 11 reports that\nidentified information security training vulnerabilities. For example, one report\nstated that the DoD needs to increase user awareness and understanding\n\n\n                                    9\n\x0cregarding unusual and suspicious e-mail and other computer-related activities.\nAnother report stated that to effectively deploy the public key infrastructure,\nDoD needs to train both users and system administrators to use complex and\ndifficult technology.\n\nThe Army Audit Agency reported lack of training as a cause of systemic\ninformation security weaknesses in FY 1999 and FY 2000 audit reports. The\nArmy Audit Agency followed up on those reports and identified Army actions to\nidentify training needs for information security personnel over the last 2 years.\nThe Army estimated that it had 14,000 information security personnel who\nrequired training. The Army budget was $2.9 million annually for information\nsecurity training over the last 2 years. In FY 2000, the Army trained 6,650\ninformation systems security personnel. The Army goal is to reach all\ninformation systems security personnel to provide the technical training\nnecessary to protect information systems. See question 7, Appendix C, for\ndetails.\n\n8. Describe the agency\xe2\x80\x99s documented procedures for reporting security\nincidents and sharing information regarding common vulnerabilities.\nInclude a description of procedures for external reporting to law\nenforcement authorities and to the General Services Administration\xe2\x80\x99s\nFedCIRC. Include information on the actual performance and the number\nof incidents reported. (Section 3534(b)(2)(F)(i)-(iii) of the Security Act.)\n\nThe results of prior audits and investigations showed that the DoD made\nprogress in reporting and investigating security incidents, but additional\nimprovements were needed. For example, Inspector General, DoD, Report\nNo. D-2001-013, \xe2\x80\x9cDoD Compliance With the Information Assurance\nVulnerability Alert Policy," December 1, 2000, evaluated DoD procedures for\nreporting security incidents and sharing information about common\nvulnerabilities. The report stated that DoD had made significant progress\ntowards implementing its procedures and planned to be fully compliant by April\n2001. However, as of August 31, 2001, the Office of the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence), had not\nissued a formal instruction, identified the positions and skills needed by the\nprimary and secondary points of contact, or issued an implementation plan for\nthe Information Assurance Vulnerability Alert process.\n\nThe Defense Criminal Investigative Service participates as a member of the Law\nEnforcement and Counterintelligence Center that DoD established to coordinate\ncriminal and counterintelligence computer intrusion investigations and to\ndisseminate relevant information to the military commands. The Defense\nCriminal Investigative Organizations (Army Criminal Investigation Command,\nNaval Criminal Investigative Service, Air Force Office of Special\nInvestigations, and Defense Criminal Investigative Service) reported\n86 incidents of root access and 313 incidents of other access for the period from\nOctober 1, 2000, through July 31, 2001. The Defense Criminal Investigative\nOrganizations reported computer crime activity for that period of\n194 investigations initiated, 178 investigations closed, 24 indictments, and\n18 convictions. The total monetary recoveries and cost avoidance from\ncomputer crime investigations for that period amounted to $2.9 million.\n\n\n                                    10\n\x0cAdditionally, the Army Audit Agency issued two reports on procedures for\nreporting security incidents and sharing common vulnerabilities: Report\nNo. AA 00-286, \xe2\x80\x9cInformation Assurance\xe2\x80\x94Phase IV: Reporting Process and\nVulnerability Assessment Results,\xe2\x80\x9d June 30, 2000, and Report No. AA 00-287,\n\xe2\x80\x9cInformation Assurance\xe2\x80\x94Phase V: Information Assurance Vulnerability Alert\nProcess,\xe2\x80\x9d June 30, 2000. The Army Audit Agency reported positive progress\ntowards implementing security incident reporting procedures. According to the\nArmy Audit Agency, the Army further improved its information security\nposture by establishing the Army Computer Emergency Response Team and the\nInformation Assurance Vulnerability Alerts Compliance Verification Team.\nThe Compliance Verification Team reports quarterly to the Secretary of the\nArmy through the Office of the Director of Information Systems for Command\nControl, Communications, and Computers. The Army\xe2\x80\x99s Computer Emergency\nResponse Team accomplished external reporting through the Joint Task Force\xe2\x80\x94\nComputer Network Operations. The Joint Task Force communicated\ninformation to the Federal Computer Incident Response Capability and to\nexternal law enforcement. As of June 18, 2001, the Army reported\n10,386 incidents. See question 8, Appendix C, for details.\n\n9. Describe how the agency integrates security into its capital planning and\ninvestment control process. Were security requirements and costs reported\non every FY02 capital asset plan (as well as exhibit 53) submitted by the\nagency to OMB? If no, why not? (Sections 3533(a)(1)(A)-(B), (b)(3)(C)-(D),\n(b)(6) and 3534(a)(C) of the Security Act.)\n\nThe Office of the Inspector General, DoD, cannot comment on whether DoD\nreported security requirements and costs on every FY 2002 capital asset plan or\nexhibit 53 that it submitted to OMB because time did not permit examination of\nthose plans.\n\nThe Army Audit Agency reviewed some aspects of capital planning and\ninvestment that it reported in Report No. AA 01-284, \xe2\x80\x9cWorkload Survey for\nInformation Technology,\xe2\x80\x9d May 31, 2001. The Army Audit Agency reported\nthat the Army\xe2\x80\x99s Investment Strategy Working Group prioritized information\ntechnology investments and aligned the Army\xe2\x80\x99s portfolio of systems with its\nrequirements. In its review of two Management Decision Packages for\ninformation assurance, the Army Audit Agency reported that the Army\ndisseminated clear guidance on capturing security requirements. In addition, the\nArmy appropriately identified the Management Decision Packages as its tool to\ncapture information assurance requirements, report milestones, and specify costs\n(training, salaries, and tools). See question 9, Appendix C, for details.\n\n10. Describe the specific methodology (for example, Project Matrix review)\nused by the agency to identify, prioritize, and protect critical assets within\nits enterprise architecture, including links with key external systems.\nDescribe how the methodology has been implemented. (Sections\n3535(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6) and 3534(a)(C) of the Security Act.)\n\nWe did not identify or review a specific DoD methodology to identify,\nprioritize, and protect critical assets within the DoD enterprise architecture.\n\n\n\n                                     11\n\x0cHowever, the Inspector General, DoD, reported on improvements needed in\nrelated areas.\n\nMission or Business Area IT Investments. Inspector General, DoD, Report\nNo. D-2001-175, \xe2\x80\x9cApplication of Year 2000 Lessons Learned,\xe2\x80\x9d August 22,\n2001, stated that although the DoD CIO could have used the core processes,\nmissions, and systems identified during the year 2000 effort to manage\ninformation technology investments, he had not. The report recommended that\nthe Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) implement a mission or business area approach for managing\ninformation technology investments. A mission or business area approach\nwould necessitate identifying and prioritizing critical assets within the enterprise\narchitecture.\nIdentification in the DoD IT Registry. The IT Registry is required by\ntitle VIII, subtitle B, \xe2\x80\x9cInformation Technology,\xe2\x80\x9d section 811, Public\nLaw 106-398, which directs that all DoD Components must register, and\nthereby identify, mission-critical and mission-essential IT systems with the DoD\nCIO before the systems can be funded. As of August 30, 2001, DoD\nComponents registered 3,783 unclassified mission-critical and mission-essential\nIT systems in the IT Registry. We compared our subset of systems from DISA\nCenters to the IT Registry. Not all systems operated on DISA platforms were\nregistered. Of the 90 items that the Inspector General, DoD; the Army Audit\nAgency; and the Air Force Audit Agency sampled, 21 were also listed in the IT\nRegistry. In addition, 10 applications in that sample supported 2 other major\nsystems listed in the IT Registry. We did not review the effectiveness or\ncompleteness of the IT Registry.\n\nThe Army Audit Agency conducted a limited review of the Army\xe2\x80\x99s\nmethodology and use of the IT Registry. The Army Audit Agency reported that\nthe Army used the IT Registry to identify critical assets, including links with\nkey external systems. According to the Army Audit Agency\xe2\x80\x99s August 2001\nGISRA response, the Army had registered 1,090 mission-critical and mission-\nessential systems.\n\nContingency Planning. Inspector General, DoD, Report No. D-2001-182,\n\xe2\x80\x9cInformation Assurance Challenges--A Summary of Results Reported April 1,\n2000, through August 22, 2001,\xe2\x80\x9d September 19, 2001, listed 11 reports that\nidentified weaknesses in contingency planning. Contingency planning also\nrequires identifying and prioritizing critical assets.\n\nCertification and Accreditation. The DITSCAP establishes a standard\ncertification and accreditation process for information technology that leads to\nmore secure system operations and a more secure Defense information\ninfrastructure. The certification and accreditation process should consider the\nsystem mission, environment, architecture, and impact on the Defense\ninformation infrastructure. The results of the Inspector General, DoD, review\nof DITSCAP implementation are discussed in question 11.\n\n\n\n\n                                     12\n\x0cPrograms to Protect Critical IT Assets\xe2\x80\x94Not Evaluated. The DoD had\nseveral programs designed to protect IT assets. The programs did not require\nidentification or prioritization within the enterprise architecture.\n\n           Defense in Depth. The DoD has an information assurance strategy\ncalled Defense in Depth, which the Office of the Inspector General, DoD, has\nnot yet evaluated. The Defense in Depth strategy integrates the capabilities of\npeople, operations, and technology to achieve strong, effective, multi-layer,\nmulti-dimensional protection. That concept includes firewalls, external routers\nto filter unauthorized traffic, switches to process and filter authorized types of\ncommunications, and closing the vulnerabilities in each device connected to the\nnetwork.\n\n          Joint Task Force\xe2\x80\x94Computer Network Defense. The Joint Task\nForce\xe2\x80\x94Computer Network Defense, which achieved initial operational\ncapability in January 1999, has the goal of coordinating defense and detecting\nintrusion of DoD computer networks and systems. The Joint Task Force\ncollects data on organized information attacks against critical DoD information\nnetworks, formulates courses of action against threat attacks, coordinates and\ndirects DoD actions for defense, and prioritizes survey-action and mission-\ncritical workarounds.\n\n         Law Enforcement and Counterintelligence Center. The Defense\nCriminal Investigative Service participates in the Law Enforcement and\nCounterintelligence Center. The Center investigates criminal and\ncounterintelligence computer intrusions, coordinates its investigations with other\nlaw enforcement agencies, and disseminates information to the military\ncommands to protect the security of military operations.\n\n11. Describe the measures of performance used by the head of the agency\nto ensure that the agency\xe2\x80\x99s information security plan is practiced\nthroughout the life cycle of each agency system. Include information on the\nactual performance. (Sections 3533(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6) and\n3534(a)(C) of the Security Act.)\n\nWe reviewed the implementation of the DITSCAP process as an objective for\nthe subset of systems that we sampled. The DITSCAP, according to DoD\nInstruction 5200.40, applies to all life-cycle phases of DoD systems. We\ndetermined that an estimated 60 percent of the 1,365 applications from which\nwe selected our sample did not have current certifications and accreditations,\nusing the DITSCAP or any other assessment tool. The Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) stated that it\nhad several vehicles in place to assess information assurance but did not have a\nway to evaluate and consolidate information assurance data to report the DoD\ninformation security posture. Without the means of evaluating and consolidating\ndata, DoD could not measure performance of information security throughout a\nsystem\xe2\x80\x99s life cycle.\n\n12. Describe how the agency has integrated its information and information\ntechnology security program with its critical infrastructure protection\n\n\n\n                                    13\n\x0cresponsibilities, and other security programs (for example, physical and\noperational). (Sections 3534 (a)(1)(B) and (b)(1) of the Security Act.)\n\nThe Office of the Inspector General, DoD, participated in the Joint Task\nForce\xe2\x80\x94Computer Network Defense and the National Infrastructure Protection\nCenter programs. Both programs contribute to the protection of critical\ninfrastructure assets and information and are described below.\n\n          Joint Task Force\xe2\x80\x94Computer Network Defense. In response to\nPresidential Decision Directive 63, \xe2\x80\x9cCritical Infrastructure Protection,\xe2\x80\x9d\nMay 1998, the DoD established a joint military organization to identify and\nmitigate threats to DoD information networks and direct the defense of the\nDefense Information Infrastructure. The mission of the U.S. Space Command,\nJoint Task Force\xe2\x80\x94Computer Network Defense is to coordinate and direct the\ndefense of DoD computer systems and information networks in conjunction with\nthe unified commands, Services, and Defense agencies. In addition,\nPresidential Decision Directive 63 requires each Executive department to\ndevelop a plan and take deliberate actions to protect its specific information\ninfrastructure.\n\n          National Infrastructure Protection Center. The National\nInfrastructure Protection Center, established in February 1998, coordinates\ninvestigative information related to computer network intrusions and provides\nearly warnings of threats. It is an interagency, public-private entity of\nrepresentatives from Federal agencies, including DoD, state and local\ngovernments, and the private sector. Presidential Decision Directive 63\nrequires that DoD assign personnel to the National Infrastructure Protection\nCenter. DoD assigned 18 personnel for 2 years, with an option to extend for\nanother year. The assigned positions ranged from administrative assistant to\nDeputy Chief, National Infrastructure Protection Center, and included criminal\ninvestigators in management positions.\n\nSince May 2000, the General Accounting Office testified several times about\ncritical infrastructure protection, including the DoD critical infrastructure. The\ntestimony summarized that the DoD and others needed to improve efforts to\nprotect critical infrastructure; specifically, efforts to gather and share data. For\nexample, the Director of Governmentwide and Defense Information Systems\nand the Director of the Office of Computer Information Technology\nAssessment, General Accounting Office, testified in May 2000 about the\nILOVEYOU computer virus. The testimony included DoD as an example of an\nentity requiring action because of the virus. DoD was also one of the subjects\nof critical infrastructure testimony in June, July, and September 2000, and\nMay 2001.\n\n13. Describe the specific methods (for example, audits or inspections) used\nby the agency to ensure that contractor-provided services (for example,\nnetwork or website operations) or services provided by another agency are\nadequately secure and meet the requirements of the Security Act, OMB\n\n\n\n\n                                     14\n\x0cpolicy and NIST guidance, national security policy, and agency policy.\n(Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the Security\nAct.)\n\nAudits are one method DoD uses to identify weaknesses in the policies and\nprocedures used to acquire IT assets and services. In the past 2 years, six\nreports were issued addressing contractor developed and provided software.\n\nInspector General, DoD, Report No. D-2001-141, \xe2\x80\x9cAllegations to the Defense\nHotline on the Defense Security Assistance Management System,\xe2\x80\x9d June 19,\n2001, stated that since 1995, the contractor for the Defense Security Assistance\nManagement System used 174 employees without security investigations,\nincluding at least 38 foreign nationals, to work on the system. The report\nfurther stated that contractor employees without security investigations worked\non 52 out of 364 task orders reviewed that were awarded on the DISA Defense\nEnterprise Integration Services II contract. Management agreed to amend DoD\nRegulation 5200.2-R to require uniform investigative and adjudicative\nrequirements for all contractor employees including foreign nationals.\n\nInspector General, DoD, Report No. D-2001-127, \xe2\x80\x9cData Reliability Assessment\nReview of win.COMPARE2 Software,\xe2\x80\x9d May 23, 2001, stated that the\nwin.COMPARE2 software, for which the Air Force contracted development,\nhad adequate general and application controls.\n\nInspector General, DoD, Report No. D-2001-148, \xe2\x80\x9cAutomated Transportation\nPayments,\xe2\x80\x9d June 22, 2001, stated that the U.S. Transportation Command\ncontracted for a commercial electronic commerce package to make\ntransportation payments. The commercial package did not have adequate\ncontrols to safeguard sensitive financial information or ensure production of\nreliable data. In addition to recommendations on the specific commercial\npackage, the report recommended that the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence) clarify and expand the\nguidance on commercial products.\n\nThe Air Force Audit Agency completed three audits on contractor-provided\nservices: Report No. 99066040, \xe2\x80\x9cAir Force Research Laboratory UNIX-Based\nComputer Systems,\xe2\x80\x9d May 21, 2001; Report No. 99066017, \xe2\x80\x9cInformation\nAssurance\xe2\x80\x94Implementing Controls Over Known Vulnerabilities in Air Force\nSpace Command Computers,\xe2\x80\x9d May 26, 2000; and Report No. 99066019,\n\xe2\x80\x9cInformation Assurance\xe2\x80\x94Implementing Controls Over Known Vulnerabilities in\nAir Force Materiel Command Computers,\xe2\x80\x9d March 2, 2000. The Air Force\ncontract administration efforts and oversight provisions did not provide adequate\nmanagerial control. Specifically, contracts within two major commands did not\nspecify performance criteria for implementing countermeasures identified in the\nAir Force Computer Emergency Response Team advisories. All five contracts\nreviewed at one major command did not contain requirements for the contractor\nto adhere and respond to the advisories in required time frames. During\nfollowup within that command, the Air Force Audit Agency noted that the\ncommand leadership began reversing contracting-out efforts and turning to\nmilitary and civil service personnel for operating networks and technology\nservices for the command.\n\n\n                                   15\n\x0cAppendix A. Evaluation Process\n\nScope\n    This report is in response to the GISRA requirements of the Floyd D. Spence\n    National Defense Authorization Act for FY 2001. This report includes\n    information assurance weaknesses identified in the Information Assurance\n    Challenges summary report, which discussed reports issued from April 1, 2000,\n    through August 22, 2001, and results from the independent evaluation of a\n    subset of DoD systems. The independent evaluation, Inspector General, DoD,\n    Report No. D-2001-183, \xe2\x80\x9cImplementation of DoD Information Security Policy\n    for Processing Accomplished at Defense Enterprise Computing Centers,\xe2\x80\x9d\n    September 19, 2001, was accomplished January through July 2001. The Army\n    Audit Agency and Air Force Audit Agency supported the GISRA effort by\n    evaluating applications in the selected subset and by responding to the OMB\n    questions in Memorandum 01-24, \xe2\x80\x9cReporting Instructions for the Government\n    Information Security Reform Act.\xe2\x80\x9d\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Coverage. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to information assurance as well as achievement of the following goal,\n    subordinate performance goal, and performance measure.\n\n           \xe2\x80\xa2   FY 2001 DoD Corporate Level Goal 2: Prepare now for an\n               uncertain future by pursuing a focused modernization effort that\n               maintains U.S. qualitative superiority in key warfighting capabilities.\n               Transform the force by exploiting the Revolution in Military Affairs,\n               and reengineer the Department to achieve a 21st century\n               infrastructure. (01-DoD-02)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n               financial and information management. (01-DoD-2.5) FY2001\n               Performance Measure 2.5.3: Qualitative Assessment of Reforming\n               Information Technology (IT) Management. (01-DoD-2.5.3).\n\n    Reform Goals. Most major DoD functional areas have also established\n    performance improvement reform objectives and goals. This report pertains to\n    achievement of the following functional area objectives and goals.\n\n           Information Management Functional Area.\n\n           \xe2\x80\xa2   Objective: Provide services that satisfy customer information needs.\n               Goal: Modernize and integrate Defense Information Infrastructure.\n               (IM-2.3) Goal: Improve information technology management tool.\n               (IM-2.5)\n\n\n\n                                        16\n\x0c           \xe2\x80\xa2   Objective: Reform information technology management processes to\n               increase efficiency and mission contribution. Goal: Institutionalize\n               provisions of the Information Technology Management Reform Act\n               of 1996. (IM-3.1) Goal: Institute fundamental information\n               technology management reform efforts. (IM-3.2)\n\n           \xe2\x80\xa2   Objective: Ensure DoD\xe2\x80\x99s vital resources are secure and protected.\n               Goal: Make Information Assurance (IA) an integral part of DoD\n               Mission Readiness Criteria. (IM-4.1)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    lists information assurance as a high-risk area. Although the Secretary of\n    Defense annually establishes DoD-wide corporate-level goals and performance\n    measures to address the requirements of the Government Performance and\n    Results Act, the Department does not currently provide corporate-level goals for\n    information assurance. This report provides coverage of the Information\n    Security and System Modernization high-risk areas.\n\nMethodology\n    To assess the IT security posture of DoD, we selected a random sample of\n    applications from a subset of systems. For those applications, the objective was\n    to identify security personnel, such as the information system security officer\n    and the designated approval authority, and to determine whether the applications\n    had a Certification and Accreditation or an Interim Authority to Operate. We\n    constructed a spreadsheet in which to compile and analyze results from our\n    subset of systems.\n\n    Use of Computer-Processed Data. Computer-generated information was the\n    source for selecting the subset, but was not used as evidence in a finding.\n\n    Universe and Sample. We identified applications operating or residing on the\n    DISA Centers and Detachments as our subset of systems, the universe for this\n    sample. In response to our request for DISA-supported applications, DISA\n    Western Hemisphere provided a listing of 4,939 applications on Center and\n    Detachment systems that were billed to customers. We did not validate the\n    number of applications that DISA provided on its listing. Analysis of the\n    4,939 applications determined that multiple occurrences of the same names\n    appeared. Operations research analysts from the Quantitative Methods\n    Division, Office of the Assistant Inspector General for Auditing, aggregated the\n    list to include only unique names of applications, which left 1,365 applications.\n    The analysts then generated a simple random sample of 90 applications.\n\n             Measurement Issues. The listing of applications that DISA Western\n    Hemisphere provided consisted of every line item billed by DISA. Some items\n    were not, in fact, applications, but space on the network that customers must\n    pay to use. We also found inactive or unacknowledged applications, so we\n    could not test the sample items for the attributes demonstrating security policy\n    implementation. See Appendix C for details of the 90 sample applications. The\n\n\n                                        17\n\x0ccategories of sample results and the number of applications in each category are\nshown below.\n                           Table A1. Sample Results by Certification and\n                              Accreditation Status Category\n                    Category                                                 Sample Result\nCurrent Certification and Accreditation\n or Interim Authority to Operate                                                  33\nOut of Date Certification and Accreditation\n or Interim Authority to Operate                                                   2\nNo Certification and Accreditation and\nno Interim Authority to Operate, or incomplete                                    19\nOther IT                                                                           9\nUnable to test the Certification and Accreditation\n or Interim Authority to Operate status                                           27\n  Total                                                                           90\n          Measurement Results. The operations research analysts projected the\nconfidence intervals reported below using a 90 percent confidence level. The\nresults shown in the report are the point estimates projected for the universe of\n1,365 unique applications. The complete results of the projections are shown\nbelow.\n                    Table A2. Certification and Accreditation Status\n                      Projected to the Population of Applications\n                                             Lower                  Point1              Upper\n                  Category                   Bound                 Estimate             Bound\nCurrent Certification and\n  Accreditation or Interim\n  Authority to Operate             383                                501                    618\nOut of date Certification\n  and Accreditation or Interim\n  Authority to Operate              --2                                30                    72\nNo Certification and Accreditation\n  and no Interim Authority to\n  Operate, or incomplete\n  (certification only)             187                                288                    389\nOther IT                            60                                137                    213\nUnable to test the status of the\n  Certification and Accreditation\n  or Interim Authority to Operate 297                                 410                    522\n1\n    The point estimate does not add up to the population due to rounding.\n2\n    The lower bound estimate is below zero; therefore, it is not reported.\n\n\n                                              18\n\x0cUse of Audit Assistance. The Army Audit Agency and the Air Force Audit\nAgency gathered and analyzed data for those sample items that belonged to\ncustomers within their respective Component. The Army Audit Agency\ngathered and analyzed data for 34 sample items, and the Air Force Audit\nAgency gathered and analyzed data for 19 sample items. We accepted that data\nwithout further review and merged it into a common spreadsheet for\ninterpretation of the overall sample results. The Army Audit Agency and the\nAir Force Audit Agency also provided responses to the specific questions from\nthe OMB reporting guidance. See Appendixes C and D, respectively.\n\nUse of Technical Assistance. One computer engineer from the Technical\nAssessment Division, Office of the Assistant Inspector General for Auditing,\nassisted in planning the audit. In addition, two operations research analysts\nfrom the Quantitative Methods Division, Office of the Assistant Inspector\nGeneral for Auditing, assisted in selecting the random sample from the subset of\napplications and interpreting the results.\n\nEvaluation Dates. We conducted this program evaluation from January 2001\nthrough August 2001, in accordance with standards issued by the Inspector\nGeneral, DoD. The reports that provided source information were issued\nbetween April 1, 2000, and August 22, 2001.\n\nContacts During the Audit. We visited or contacted individuals and\norganizations within the DoD. Further details are available upon request.\n\n\n\n\n                                   19\n\x0cAppendix B. Prior Coverage\n     The following reports discussing elements of information security in the DoD\n     were issued from April 2000 through August 2001. Summaries of each of the\n     listed reports appear in Report No. D-2001-182, \xe2\x80\x9cInformation Assurance\n     Challenges--a Summary of Results Reported April 1, 2000, through August 22,\n     2001,\xe2\x80\x9d September 19, 2001\n\n\nGeneral Accounting Office\n     GAO-01-959T, \xe2\x80\x9cElectronic Government: Challenges Must be Addressed with\n     Effective Leadership and Management,\xe2\x80\x9d July 11, 2001\n\n     GAO-01-783, \xe2\x80\x9cDepartment of Defense: Status of Achieving Outcomes and\n     Addressing Major Management Challenges,\xe2\x80\x9d June 25, 2001\n\n     GAO-01-769T, \xe2\x80\x9cCritical Infrastructure Protection\xe2\x80\x94Significant Challenges in\n     Developing Analysis, Warning, and Response Capabilities,\xe2\x80\x9d May 22, 2001\n\n     GAO-01-600T, \xe2\x80\x9cComputer Security\xe2\x80\x94Weaknesses Continue to Place Critical\n     Federal Operations and Assets at Risk,\xe2\x80\x9d April 5, 2001\n\n     GAO-01-583T, \xe2\x80\x9cInformation and Technology Management\xe2\x80\x94Achieving\n     Sustained and Focused Governmentwide Leadership,\xe2\x80\x9d April 3, 2001\n\n     GAO-01-307, \xe2\x80\x9cInformation Security: Progress and Challenges to an Effective\n     Defense-wide Information Assurance Program,\xe2\x80\x9d March 30, 2001\n\n     GAO-01-341, \xe2\x80\x9cInformation Security: Challenges to Improving DoD\xe2\x80\x99s Incident\n     Responsibilities Capabilities,\xe2\x80\x9d March 29, 2001\n\n     GAO-01-277, \xe2\x80\x9cInformation Security\xe2\x80\x94Advances and Remaining Challenges to\n     Adoption of Public Key Infrastructure Technology,\xe2\x80\x9d February 26, 2001\n\n     GAO-01-89, \xe2\x80\x9cFinancial Management: Significant Weaknesses in Corps of\n     Engineers\xe2\x80\x99 Computer Controls,\xe2\x80\x9d October 11, 2000\n\n     GAO/T-AIMD-00-314, \xe2\x80\x9cComputer Security\xe2\x80\x94Critical Federal Operations and\n     Assets Remain at Risk,\xe2\x80\x9d September 11, 2000\n\n     GAO/AIMD-00-296R, \xe2\x80\x9cFederal Agencies\xe2\x80\x99 Fair Information Practices,\xe2\x80\x9d\n     September 11, 2000\n\n     GAO/AIMD-00-295, \xe2\x80\x9cInformation Security: Serious and Widespread\n     Weaknesses Persist at Federal Agencies,\xe2\x80\x9d September 6, 2000\n\n\n\n\n                                       20\n\x0c     GAO/T-AIMD-00-268, \xe2\x80\x9cCritical Infrastructure Protection\xe2\x80\x94Challenges to\n     Building a Comprehensive Strategy for Information Sharing and Coordination,\xe2\x80\x9d\n     July 26, 2000\n\n     GAO/AIMD-00-188R, \xe2\x80\x9cSoftware Change Controls at the Department of\n     Defense,\xe2\x80\x9d June 30, 2000\n\n     GAO/T-AIMD-00-229, \xe2\x80\x9cCritical Infrastructure Protection\xe2\x80\x94Comments on the\n     Proposed Cyber Security Information Act of 2000,\xe2\x80\x9d June 22, 2000\n\n     GAO/AIMD-00-209R, \xe2\x80\x9cDefense Software Development,\xe2\x80\x9d June 15, 2000\n\n     GAO/T-AIMD/GGD-00-179, \xe2\x80\x9cElectronic Government\xe2\x80\x94Federal Initiatives Are\n     Evolving Rapidly But They Face Significant Challenges,\xe2\x80\x9d May 22, 2000\n\n     GAO/T-AIMD-00-181, \xe2\x80\x9cCritical Infrastructure Protection\xe2\x80\x94\xe2\x80\x9cILOVEYOU\xe2\x80\x9d\n     Computer Virus Highlights Need for Improved Alert and Coordination\n     Capabilities,\xe2\x80\x9d May 18, 2000\n\n     GAO/T-AIMD-00-171, \xe2\x80\x9cInformation Security\xe2\x80\x94\xe2\x80\x9cILOVEYOU\xe2\x80\x9d Computer Virus\n     Emphasizes Critical Need for Agency and Governmentwide Improvements,\xe2\x80\x9d\n     May 10, 2000\n\n\nInspector General, DoD\n     Report No. D-2001-183, \xe2\x80\x9cImplementation of DoD Information Security Policy\n     for Processing Accomplished at Defense Enterprise Computing Centers,\xe2\x80\x9d\n     September 19, 2001\n\n     Report No. D-2001-182, \xe2\x80\x9cInformation Assurance Challenges-A Summary of\n     Results Reported April 1, 2000, through August 22, 2001,\xe2\x80\x9d September 19, 2001\n\n     Report No. D-2001-175, \xe2\x80\x9cApplication of Year 2000 Lessons Learned,\xe2\x80\x9d\n     August 22, 2001\n\n     Report No. D-2001-166, \xe2\x80\x9cDefense Joint Military Pay System Security Functions\n     at Defense Finance and Accounting Service Denver,\xe2\x80\x9d August 3, 2001\n\n     Report No. D-2001-148, \xe2\x80\x9cAutomated Transportation Payments,\xe2\x80\x9d June 22, 2001\n\n     Report No. D-2001-141, \xe2\x80\x9cAllegations to the Defense Hotline on the Defense\n     Security Assistance Management System,\xe2\x80\x9d June 19, 2001\n\n     Report No. D-2001-137, \xe2\x80\x9cCertification of the Defense Civilian Personnel Data\n     System,\xe2\x80\x9d June 7, 2001\n\n     Report No. D-2001-136, \xe2\x80\x9cDefense Clearance and Investigations Index\n     Database,\xe2\x80\x9d June 7, 2001\n\n\n\n                                       21\n\x0cReport No. D-2001-130, \xe2\x80\x9cDoD Internet Practices and Policies,\xe2\x80\x9d May 31, 2001\n\nReport No. D-2001-127, \xe2\x80\x9cData Reliability Assessment Review of\nwin.COMPARE2 Software,\xe2\x80\x9d May 23, 2001\nReport No. D-2001-101, \xe2\x80\x9cControls Over Electronic Document Management,\xe2\x80\x9d\nApril 16, 2001\n\nReport No. D-2001-095, \xe2\x80\x9cControls for the Electronic Data Interchange at the\nDefense Finance and Accounting Service Columbus,\xe2\x80\x9d April 6, 2001\n\nReport No. D-2001-068, \xe2\x80\x9cInspector General, DoD, Oversight of the Audit of\nthe FY 2000 Military Retirement Fund Financial Statements,\xe2\x80\x9d February 28,\n2001\n\nReport No. D-2001-055, \xe2\x80\x9cGeneral Controls for the Defense Civilian Pay\nSystem,\xe2\x80\x9d February 21, 2001 (For Official Use Only)\n\nReport No. D-2001-052, \xe2\x80\x9cControls Over the Defense Joint Military Pay\nSystem,\xe2\x80\x9d February 15, 2001 (For Official Use Only)\n\nReport No. D-2001-044, \xe2\x80\x9cAccreditation Policies and Information Technology\nControls at the Defense Enterprise Computing Center Mechanicsburg,\xe2\x80\x9d\nFebruary 9, 2001 (For Official Use Only)\n\nReport No. D-2001-046, \xe2\x80\x9cInformation Assurance at Central Design Activities,\xe2\x80\x9d\nFebruary 7, 2001\n\nReport No. D-2001-029, \xe2\x80\x9cGeneral Controls Over the Electronic Document\nAccess System,\xe2\x80\x9d December 27, 2000\n\nReport No. D-2001-019, \xe2\x80\x9cProgram Management of the Defense Security\nService Case Control Management System,\xe2\x80\x9d December 15, 2000\n\nReport No. D-2001-017, \xe2\x80\x9cUnclassified but Sensitive Internet Protocol Router\nNetwork Security Policy,\xe2\x80\x9d December 12, 2000\n\nReport No. D-2001-016, \xe2\x80\x9cSecurity Controls Over Contractor Support for\nYear 2000 Renovation,\xe2\x80\x9d December 12, 2000\n\nReport No. D-2001-013, \xe2\x80\x9cDoD Compliance with the Information Assurance\nVulnerability Alert Policy,\xe2\x80\x9d December 1, 2000\n\nReport No. D-2000-182, \xe2\x80\x9cData Processing Control Issues for the FY 1999\nMilitary Retirement Fund,\xe2\x80\x9d August 31, 2000 (For Official Use Only)\n\nReport No. D-2000-142, \xe2\x80\x9cDefense Information Systems Agency\xe2\x80\x99s Acquisition\nManagement of the Global Combat Support System,\xe2\x80\x9d June 9, 2000\n\n\n\n\n                                  22\n\x0c       Report No. D-2000-139, \xe2\x80\x9cControls Over the Integrated Accounts Payable\n       System,\xe2\x80\x9d June 5, 2000\n\n       Report No. D-2000-122, \xe2\x80\x9cInformation Assurance in the Advanced Logistics\n       Program,\xe2\x80\x9d May 12, 2000\n\n       Report No. D-2000-116, \xe2\x80\x9cConfiguration Changes to Year 2000 Compliant\n       Mission-Critical and Date-Dependent Systems,\xe2\x80\x9d April 25, 2000\n\n\nArmy\n       Report No. AA 01-319, \xe2\x80\x9cCorps of Engineers Financial Management System:\n       General and Application Controls,\xe2\x80\x9d June 26, 2001\n\n       Report No. AA 00-287, \xe2\x80\x9cInformation Assurance\xe2\x80\x94Phase V: Information\n       Assurance Vulnerability Alert Process,\xe2\x80\x9d June 30, 2000\n\n       Report No. AA 00-286, \xe2\x80\x9cInformation Assurance\xe2\x80\x94Phase IV: Reporting Process\n       and Vulnerability Assessment Results.\xe2\x80\x9d June 30, 2000 (For Official Use Only)\n\n\nNavy\n       Report No. N2001-0029, \xe2\x80\x9cDepartment of the Navy Principal Statements for\n       FY 2000: Feeder Systems and Interfaces,\xe2\x80\x9d June 1, 2001\n\n       Report No. N2000-0045, \xe2\x80\x9cNavy Working Capital Fund Financial Management\n       Feeder Systems for Fiscal Year 1999,\xe2\x80\x9d September 29, 2000\n\n\nAir Force\n       Report No. 01066018, \xe2\x80\x9cAccess Controls at Air Force High Performance\n       Computing Centers,\xe2\x80\x9d June 26, 2001\n\n       Report No. 01066002, \xe2\x80\x9cDatabase Security Controls,\xe2\x80\x9d June 7, 2001\n\n       Report No. 99066040, \xe2\x80\x9cAir Force Research Laboratory UNIX-Based Computer\n       Systems,\xe2\x80\x9d May 21, 2001\n\n       Report No. 00054006, \xe2\x80\x9cAir Force Restoration Information Management System\n       Controls,\xe2\x80\x9d May 18, 2001\n\n       Report No. 00066006, \xe2\x80\x9cImplementation of Network Management System/Base\n       Information Protection,\xe2\x80\x9d May 1, 2001\n\n       Report No. 99066041, \xe2\x80\x9cControls Over Air Force Composite Health Care\n       Systems,\xe2\x80\x9d December 13, 2000\n\n\n                                        23\n\x0cReport No. 99066038, \xe2\x80\x9cWeb Page Management,\xe2\x80\x9d November 8, 2000 (For\nOfficial Use Only)\n\nReport No. 99054027, \xe2\x80\x9cReview of Controls in the Command Online Accounting\nand Reporting System (COARS),\xe2\x80\x9d November 1, 2000\n\nReport No. 99066018, \xe2\x80\x9cInformation Assurance\xe2\x80\x94Implementing Controls Over\nKnown Vulnerabilities in Pacific Air Force Computer Systems,\xe2\x80\x9d August 11,\n2000 (For Official Use Only)\n\nReport No. 99066024, \xe2\x80\x9cInformation Assurance\xe2\x80\x94Implementing Controls Over\nKnown Vulnerabilities in Air Force Reserve Command Computers,\xe2\x80\x9d July 7,\n2000 (For Official Use Only)\n\nReport No. 99066017, \xe2\x80\x9cInformation Assurance\xe2\x80\x94Implementing Controls Over\nKnown Vulnerabilities in Air Force Space Command Computers,\xe2\x80\x9d May 26,\n2000 (For Official Use Only)\n\nReport No. 99066028, \xe2\x80\x9cControls Within the Acquisition Due-In System,\xe2\x80\x9d\nMay 1, 2000\n\n\n\n\n                                 24\n\x0cAppendix C. Army Audit Agency Response to\n            OMB Questions\n\n\n\n\n                     25\n\x0c26\n\x0c27\n\x0c28\n\x0c29\n\x0c30\n\x0c31\n\x0c32\n\x0c33\n\x0c34\n\x0c35\n\x0cAppendix D. Air Force Audit Agency Response\n            to OMB Questions\n\n\n\n\n                     36\n\x0c37\n\x0c38\n\x0c39\n\x0c40\n\x0c41\n\x0cAppendix E. Reports Specifying Management\n            Control Weaknesses\n   DoD Reports (Inspector General, Army Audit Agency, Naval Audit Service,\n   and Air Force Audit Agency) identified the following weaknesses in policies,\n   procedures, or practices; the first 13 reports state that the weaknesses were\n   material:\n\n   1. Inspector General, DoD, Report No. D-2001-148, \xe2\x80\x9cAutomated\n   Transportation Payments,\xe2\x80\x9d June 22, 2001, stated that management controls over\n   the automated transportation payment process were not adequate to ensure that\n   DoD resources were safeguarded. The controls were not adequate to safeguard\n   sensitive information or to ensure the production of reliable data.\n\n   2. Inspector General, DoD, Report No. D-2001-055, \xe2\x80\x9cGeneral Controls for the\n   Defense Civilian Pay System,\xe2\x80\x9d February 21, 2001, identified multiple\n   weaknesses. The report discussed establishing an overall security program,\n   controlling access to the system, implementing procedures for developing and\n   changing computer software, establishing policies for proper segregation of\n   duties, and establishing procedures for preventing disruptions in service to\n   customers.\n\n   3. Inspector General, DoD, Report No. D-2001-052, \xe2\x80\x9cControls Over the\n   Defense Joint Military Pay System,\xe2\x80\x9d February 15, 2001, stated that general\n   controls over the subject system at DISA and the Defense Finance and\n   Accounting Service were not adequate. The controls did not provide reasonable\n   assurance of the integrity, confidentiality, and availability of computer-\n   processed data.\n\n   4. Inspector General, DoD, Report No. D-2001-101, \xe2\x80\x9cControls over Electronic\n   Document Management,\xe2\x80\x9d April 16, 2001, stated that management controls were\n   not adequate to ensure the accuracy of electronic transactions using Electronic\n   Document Management.\n\n   5. Inspector General, DoD, Report No. D-2001-095, \xe2\x80\x9cControls for the\n   Electronic Data Interchange at the Defense Finance and Accounting Service\n   Columbus,\xe2\x80\x9d April 6, 2001, stated that management controls could not ensure\n   that the security for Electronic Data Access and Electronic Data Interchange\n   were adequate.\n\n   6. Inspector General, DoD, Report No. D-2001-044, \xe2\x80\x9cAccreditation Policies\n   and Information Technology Controls at the Defense Enterprise Computing\n   Center Mechanicsburg,\xe2\x80\x9d February 9, 2001, stated that management controls for\n   the Mechanicsburg Center could not provide reasonable assurance of the\n   adequacy of selected information system controls. The report further stated that\n   DISA site recertification and reaccreditation decisions could be unreliable and\n   inconsistent among DISA sites.\n\n\n\n                                      42\n\x0c7. Inspector General, DoD, Report No. D-2001-029, \xe2\x80\x9cGeneral Controls Over\nthe Electronic Document Access System,\xe2\x80\x9d December 27, 2000, stated that\nmanagement controls were not adequate to ensure the accuracy of electronic\ntransactions using Electronic Document Access.\n\n8. Inspector General, DoD, Report No. D-2001-019, \xe2\x80\x9cProgram Management of\nthe Defense Security Service Case Control Management System,\xe2\x80\x9d\nDecember 15, 2000, stated that management controls were inadequate for the\nacquisition of the Case Control Management Systems and the Defense Security\nService Enterprise System.\n\n9. Inspector General, DoD, Report No. D-2001-017, \xe2\x80\x9cUnclassified but\nSensitive Internet Protocol Router Network Security Policy,\xe2\x80\x9d December 12,\n2000, stated that the lack of NIPRNet security policy guidelines was a material\nmanagement control weakness.\n\n10. Inspector General, DoD, Report No. D-2000-182, \xe2\x80\x9cData Processing\nControls Issues for the FY 1999 Military Retirement Fund,\xe2\x80\x9d August 31, 2000,\nidentified general control weaknesses in electronic data processing controls at\nthe computer processing locations servicing the Military Retirement Fund.\nControl weaknesses included deficiencies in the design and operation of access\ncontrols, security policies and procedures, and program change control.\n\n11. Inspector General, DoD, Report No. D-2000-142, \xe2\x80\x9cDefense Information\nSystems Agency\xe2\x80\x99s Acquisition Management of the Global Combat Support\nSystem,\xe2\x80\x9d June 9, 2000, stated that management controls were inadequate.\nDISA had not integrated cost, schedule, and performance parameters into its\nmanagement control plan for the acquisition of GCCS. Specifically, control\nobjectives and techniques and evaluations for monitoring results and\neffectiveness did not link to mission area planning, budgeting, project\nmanagement, accounting, and auditing cycles.\n\n12. Inspector General, DoD, Report No. D-2000-139, \xe2\x80\x9cControls Over the\nIntegrated Accounts Payable Systems,\xe2\x80\x9d June 5, 2000, stated that the DFAS\ncontrols over the subject system and the processing of vendor payments were\nnot adequate to ensure that all payments were properly supported and valid.\n\n13. Inspector General, DoD, Report No. D-2000-122, \xe2\x80\x9cInformation Assurance\nin the Advanced Logistics Program,\xe2\x80\x9d May 12, 2000, stated that management\ncontrols were not adequate to ensure that information assurance was properly\naddressed and evaluated during the development of the Advanced Logistics\nProgram.\n\n14. Army Audit Agency Report No. AA 01-319, \xe2\x80\x9cCorps of Engineers\nFinancial Management System: General and Application Controls,\xe2\x80\x9d June 26,\n2001, stated that internal controls over the Corps of Engineers\xe2\x80\x99 Financial\nManagement System were not adequate to rely on for the Civil Works Program\nfinancial statements. The Corps did not have a reliable set of computer controls\nto ensure the integrity, confidentiality, and availability of financial and sensitive\ndata contained in the system.\n\n\n                                     43\n\x0c15. Army Audit Agency Report No. AA 00-286, \xe2\x80\x9cInformation Assurance\xe2\x80\x94\nPhase IV: Reporting Process and Vulnerability Assessment Results,\xe2\x80\x9d June 30,\n2000, stated that information systems at 15 locations had significant host-level\nvulnerabilities. Poor configuration management controls allowed locally owned\nsystems and networks to have root access to Army information systems.\n\n16. Naval Audit Service Report No. N2001-0029, \xe2\x80\x9cDepartment of the Navy\nPrincipal Statements for FY 2000: Feeder Systems and Interfaces,\xe2\x80\x9d June 1,\n2001, identified material internal control weakness, including incomplete\ncontract files and insufficient audit trails at three Naval Supply Systems\nCommand activities. Without audit trails, the Navy could not verify that data\nwas accurate, complete, and supportable, as required by the Financial\nManagement Regulation.\n\n17. Naval Audit Service Report No. N2000-0045, \xe2\x80\x9cNavy Capital Working\nFund Financial Management Feeder Systems for FY 1999,\xe2\x80\x9d September 29,\n2000, identified material internal control weaknesses for the Department of\nNavy Capital Working Fund. The weaknesses included inadequate control of\naccess, failure to ensure backup and disaster recovery, and insufficient and\noutdated system documentation.\n\n18. Air Force Audit Agency Report No. 99066040, \xe2\x80\x9cAir Force Research\nLaboratory UNIX-Based Computer Systems,\xe2\x80\x9d May 21, 2001, stated that\ncomputer system personnel did not require adequate technical and management\ncontrols for continued security over Air Force Research Laboratories systems\nand information.\n\n19. Air Force Audit Agency Report No. 00054006, \xe2\x80\x9cAir Force Restoration\nInformation Management Systems Controls,\xe2\x80\x9d May 18, 2001, stated that system\ncontrol weaknesses were identified for 6 of 11 control areas reviewed.\nManagers of the Air Force Restoration Information Management System had not\nestablished adequate system password and data access controls or ensured that\nthe system provided a transaction history and audit trails.\n\n20. Air Force Audit Agency Report No. 99066038, \xe2\x80\x9cWeb Page Management,\xe2\x80\x9d\nNovember 8, 2000, identified management control weaknesses for web pages,\nestablishing web master core training requirements, and enhancing web server\nsecurity.\n\n21. Air Force Audit Agency Report No. 99054027, \xe2\x80\x9cReview of Controls in the\nCommand Online Accounting and Reporting System (COARS),\xe2\x80\x9d November 1,\n2000, stated that general controls for the subject system did not meet financial\nmanagement system requirements. The system did not meet requirements for\nseparation of duties, access controls, system software, and physical security.\nThe Air Force had no assurance that the system applications were running in a\nsecure, controlled environment.\n\n22. Air Force Audit Agency Report No. 99066018, \xe2\x80\x9cInformation Assurance\xe2\x80\x94\nImplementing Controls Over Known Vulnerabilities in Pacific Air Force\nComputer Systems,\xe2\x80\x9d August 11, 2000, identified weaknesses for the Pacific Air\n\n\n                                   44\n\x0cForce computer systems in configuration management controls. Controls did\nnot ensure that current vendor patches and service packs were loaded on all\ncomputers and that users were assigned proper privileges. In addition,\nidentification and authentication controls to prevent unauthorized access to\ninformation on networked computers were weak.\n\n23. Air Force Audit Agency Report No. 99066028, \xe2\x80\x9cControls Within the\nAcquisition Due-In System,\xe2\x80\x9d May 1, 2000, identified control weaknesses for the\nAcquisition Due-In System in access controls, transaction histories and audit\ntrails, transaction controls, completeness controls, and documentation.\n\n\n\n\n                                  45\n\x0cAppendix F. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense, Deputy Chief Information Officer\n  Deputy Assistant Secretary of Defense, Security and Information Operations\n      Director, Defense-Wide Information Assurance Program\n\nJoint Staff\nDirector, Joint Staff\n  Director, Operations\n     Deputy Director for Operations (Information Operations)\n  Director, Command, Control, Communications, and Computers\n     Chief, Information Assurance Division, Deputy Director for Command, Control,\n         Communications, and Computers Assessment and Technology\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nChief Information Officer, Department of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNavy Chief Information Officer\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nChief Information Officer, Department of the Air Force\nAuditor General, Department of the Air Force\n\n\n\n\n                                          46\n\x0cOther Defense Organizations\nCommander, Joint Task Force Computer Network Defense\nDirector, Defense Contract Audit Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n  Office of the Information and Regulatory Affairs\n  National Security Division\nGeneral Accounting Office\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         47\n\x0cEvaluation Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector, General\nDoD, who contributed to the report are listed below.\n\nMary L. Ugone\nWanda A. Hopkins\nRobert K. West\nJudith I. Padgett\nBryon J. Farber\nRichard B. Vasquez\nHeather L. Jordan\nMandy L. Rush\nHenry D. Barton\nDharam V. Jain\nAnn Ferrante\nJacqueline N. Pugh\n\x0c'